Module 5: Federal Enforcement of HIPAA

﻿With that, so kind of our overview of federal HIPAA enforcements. And, so this module, we’re going to talk about what the Official of Civil Rights does for its enforcement. Recall that we have civil money penalty enforcement. You may recall that, and’ll we’ll get into this later, but we haven’t done much in the way of imposing penalties, but we have done a lot of enforcement, and so we’re going to provide information on that. And, then the Department of Justice has its own criminal penalty enforcement. So, hopefully at the end of this module, be able to describe what OCR’s activities are and our Enforcement Rule Authority, Authority and also what the OJ does. So what ways does OCR enforce HIPAA? We’re going to talk about and get right into this complaints. We operate on a complaint-based system. All complaints that come in the door, we make a commitment to investigate, well, to review I should say. Investigate, we’ll get into that as a key distinction. We want to look at all the complaints to see is there’s a true allegation. There are certain parameters that we won’t be able to investigate. If a case, for example, is is old, if it is not a covered entity, if it is not a violation of The Privacy Rule, those are situations where we wouldn’t do or we wouldn’t pursue it…that. So, as you can see from this graphic though, our our receipts started off the 2003 was the first effective time. So, of course those are going to be small, but everything else started in the six thousand range and has kind of gotten up to about eight thousand. And so, and that started to be fairly consistent. Note that in 2010 is, or I guess 2009 2010 is when we started taking over the Security Rule. Generally, if I recall those numbers were around the 250…260. So, fairly small in comparison, but as we get ahold of that and start doing more outreach, it may became more apparent, folks. These graphics are available on our website and the ones that you’re going to see next, as well. So, of the cases that we receive, what’s happening to them? This chart describes the status of all complaints received through the end of 2010. Those that are resolved includes those that are resolved, opened and received to date. So, you can see we’ve resolved about 91% of the complaints that we’ve received at this time. Open complaints include those that we are currently investigating, and those for which we’re determining satisfactory voluntary compliance or awaiting documentation from a covered entity. So, I wouldn’t call it our backlog, that’s our current working engagement. You can see from this slide that we’re actually a little bit head of the game. These are the resolutions that we have have done with the cases we have received. So we’re receiving eight thousand…..we have had the opportunity to actually resolve over nine-thousand and that’s a good thing. Generally, two-thirds of all investigations, not all complaints received again, result in corrective action. So, corrective action means that we have achieved some change on the part of the practices of the covered entity, meaning new policies and procedures, training, a more robust risk analysis, one or more changes that address the complaint and the issues uncovered by the investigation. To be sure these are cases that are investigated and demonstrate that there were issues with the HIPAA Compliance So, I’ve got a long slide here. This is basically our beginning to end investigative process. A side note on this before we dive into the details: covered entities are required by the Enforcement Rule to cooperate with our complaint investigations, so a lack of cooperation would be an additional violation. If a complaint describes an action that could be a violation of the criminal provisions of HIPAA, we would refer that to the Department of Justice for investigation. And there are specific grounds for criminal violations, which we will touch on a little bit later. So what happens in the complaint process? So, first, we have to receive a written complaint, we have to get something in the door, something that tells us that something is going on. Recall from yesterday, covered entities have an obligation to maintain an avenue by which a patient may make a complaint directly to that entity. Our program fully respects the important relationship between the patient and his or her provider and insurer. So a person need not, but has an option to go directly to the covered entity and raise their own privacy concerns. If that doesn’t result in satisfaction, or the person doesn’t want to deal with the covered entity, they’re welcome to come to OCR. So, once a complaint comes in house, it’s reviewed for sufficiency. Does it actually allege a violation of the HIPAA Rule? Is there an allegation that the entity is a covered entity? Is this a possible criminal violation that we need to refer to DOJ? Chart indicates a number of possible reasons a complaint may be made, but for which OCR does not have jurisdiction. Does..does this this mean that the person has no remedy? Not necessarily. State laws, other consumer protection laws, or professional obligations could be at issue, so what it does mean is that OCR does not have a basis to pursue a HIPAA claim, and similarly you would be equally limited in pursuing an allegation that OCR could not pursue on a HIPAA claim. So, if you look at the… the box in the bottom left column, you’ll see that they’re a number of reasons for which we would not be able to pursue a complaint. It may be prior to the effective date for HIPAA, it may be something that has been filed outside of the time limits and we decide not to make an exception for those time limits. It could be something that really just isn’t a violation of the rule. Either isn’t within the context of the rule, it isn’t PHI or it was, say a treatment disclosure. Somebody’s not happy about their Protected Health Information being shared with a doctor, but in fact, it was for treatment purposes, so it’s not a violation. So, once we get past this hurdle, we have a credible allegation against a covered entity that PHI was used or disclosed in a manner, that, if true, would violate the HIPAA Rule standard, then what? Well, we investigate. We send a notice to the covered entity, we ask for documentation, set up interviews and based on that investigation, we have one of a number of resolutions and that’s the next larger green box and the chart on the right. Note the we don’t something that says “Find A Violation”. We issue formal findings and once we issue those findings, there’s an opportunity for the covered entity to respond before OCR issues a Notice of Proposed Penalty, or that CNP. So we have ten Regional Offices. This is where the bulk of our investigative work takes place. We certainly, Iliana, Myself, Louis, David from yesterday, and Sue are out of the headquarters contingent. We occasionally do a little bit of investigative work, but generally it happens in the regions. So, you can look at your state and you can see which region you’re working with. I believe we have a couple of DC Regional attorneys here. You may have been introduced to them, so we also have very capable advice in the field and they’re intimately involved in working with our investigators. And, so far, that model has worked quite well. So, investigating complaints, what do we do? During an investigation, whether it’s a compliance review or a complaint, either one of those, interviews are conducted to try to understand the nature of the incident, discuss corrective actions taken since the incident occurred. Why is this important? Well, remember that our Enforcement Rule Mantra is to seek voluntary compliance. We haven’t heard much about CNPs. We haven’t had to move to that formal enforcement, but we’ve done a lot of resolutions, which means we’ve achieved a lot of corrective action. So we need to determine if there is an event that could give rise to a violation and what can be done to remedy and prevent future recurrences. Actions taken by the covered entity are important both in our seeking voluntary compliance and for some of the new HITECH CNP tiers, where a covered entity’s action may result in a lesser CNP. So, some of the things that we do are examine policies and procedures, conduct analyses to determine whether the processes are operating effectively and as intended. So, compliance reviews. A little bit similar to investigation. Of course, the ultimate question is what’s going on in the state of compliance with this covered entity? It’s one of the ways that OCR carries out its enforcement responsibility is to investigate complaints it receives, but also the compliance reviews, which are investigations initiated because of information received from a source other than a complaint. Again, a complaint is that within 180 days in writing, etcetera, but if we get it otherwise, we can take our own notice. So, a compliance review may address possible violations affecting one individual, or seek to determine an entity’s overall Privacy or Security Rule compliance. And, we see some of the areas that we might look at. Training, is that occurring? Is it scheduled? Has it taken place? Is there documentation? Do they have policies and procedures? Have they done that risk analysis? A compliance review might also include a number of these activities. Are they implementing the risk..the minimum necessary standard? What about their storage of electronic Protected Health Information stored on portable devices? Many hospitals now, and even provider offices are starting to implement small handheld devices. Have they thought about this? Is one side of their IT department pushing what may be a very great efficiency in moving this information, but they’re not talking well with their HIPAA or risk folks to see whether there are issues? Whether they’re putting Protected Health Information at risk? Resolution agreements. So, we find that there is something proverbially rotten in the state of Denmark, and although a covered entity has taken steps to remedy the issue and prevent a recurrence, that’s not enough. The covered entity wants to work with OCR and not receive a CNP. Our underlying goal here is achieving satisfactory compliance, satisfactory to OCR, to the Secretary, to HHS about that entity’s compliance. So, that’s the goal we’re working towards. And if we’re not satisfied, then we can move to more formal enforcement, but we’re still sitting on the informal side if we’re talking resolution agreements. So, a resolution agreement is a contract signed by HHS and the covered entity, in which the covered entity agrees to perform certain obligations. OCR uses this process in a handful of cases in which usual corrective action plan was insufficient, or wasn’t sufficient enough. The resolution agreement names a covered entity, identifies the conduct that is the subject of the resolution agreement, and describes the obligations the covered entity agrees to perform. It also describes any payment agreed to by the covered entity and may require the covered entity to makes reports to HHS for a period of time, typically three years. During this period HHS will monitor the covered entity’s compliance with obligations it has agreed to perform. So, for example, resolution agreements will often call for implementation of new policies and procedures, training for staff, compliance monitoring and updated notices. A side note here, you started hearing me use the lingo, we generally refer to this class of resolution as informal resolution. If we go in and investigate and we’re satisfied with what the entity has done, we may just say, “Thanks, we are happy with your actions to come into compliance and we close the case.” There may be situations where we do a corrective action plan or get to this level of the resolution agreement. We call these informal resolutions because our only formal remedy is that civil money penalty. So anything short of that CNP, where we’re definitely dealing with a potential violation, we’re going to call it informal. So, we’ve had a couple of resolution agreements as of late. You may have heard some of these in the news. There are a couple of these on the slide and I’ll give you a brief description of several of these. With Provident, we entered a resolution agreement where Provident agreed to pay $100,000 to HHS and they implemented a corrective action plan that requires them to revise their policies and procedures regarding physical and technical safeguards such as encryption, governing their off-site transport and storage of electronic media that contains PHI. They also agreed to train their workforce on these safeguards and to conduct reviews and site visits of their facilities. All of these actions, going to the end of trying to address what went wrong and trying to prevent recurrences. With CVS, they agreed to pay $2.25 million as a resolution amount and implement a corrective action plan that requires them to take the actions of revising policies and procedures on disposal of PHI, training their employees on these new procedures and enforcing the new procedures through their employee sanctions. By doing that, sounds like they had a problem either without having a sanctions policy or maybe they had a sanctions policy, but just didn’t apply it, so we wanted to correct that. They also agreed to internal monitoring and having an independent assessor conduct assessments of their compliance. For Rite Aid, they paid a $1 million resolution amount and then implemented a corrective action plan to revise, again, their policies and procedures around disposal of PHI, train their workforce, conduct internal monitoring, and have the independent assessor conduct assessments. Rite Aid and CVS were very similar situations. Two others we’ll call to your attention, Management Services Organization of Washington agreed to a resolution agreement where they paid 35,000 and agreed to safeguard their identifiable electronic PHI against impermissible user disclosure and the corrective action plan requires Management Services to develop and maintain and revise its policies and procedures to train its workforce on these policies and procedures. So, the issue here was that MSO was disclosing e-PHI to a group called Washington Practice Management, also owned by MSO, and that entity used the information for marketing purposes. So, it’s a situation where, again, once we get in and we do the investigation, this apparently was a long-standing practice they had. And they just either didn’t realize it, or something. This was actually a combined agreement, I think, with the FTC and DOJ, so that there were multiple parties in this investigation. The 35,000 seems a little low here, part of that is because you have multiple cooks in the kitchen trying to agree to this, and you know, we want to be an engaged federal partner. General Hospital Corporation and Massachusetts General Physicians Org agreed to pay us $1 million to settle their potential violations. They also agreed to a corrective action plan, you may also hear it called CAP, C-A-P, which requires a hospital to develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from their premises and train workforce members on these policies and procedures. Then they also designated their Director of Internal Audit Services to serve as an internal monitor and conduct assessments of their compliance and render semi-annual reports about that compliance for a three year period. This, I believe, was the information left on the subway. So again, what was the issue? They took it off-site, how do we address that? Make your policies and procedures. Make your people aware of what those policies and procedures are, about what happened that caused the violation, and try to prevent its recurrence. So, we’ve talked a lot about informal resolution, getting folks to comply. What about if we get to that point, that final step of, yeah, we need to impose a penalty? So, formal enforcement. If the covered entity fails to comply voluntarily, up the snuff to the Secretary’s standards, with the HIPAA Rules, or does not take the actions to resolve the matter in a way satisfactory to HHS, such as through a resolution agreement, OCR may decide to impose a CMP on the covered entity. Before imposing a CMP, the OCR will send a Notice of Proposed Determination, or NPD, notifying the covered entity of its findings and of the covered entity’s right to request a hearing. If the covered entity does not request such a hearing within the specified time period or does not reach an informal resolution with OCR, then OCR may issue a Notice of Final Determination, referred to as an NFD, which imposes the CMP. In general, OCR might impose a penalty on a covered entity for failure to comply with the requirements of the HIPAA Rules, both Privacy Rule and/or Security Rule. As of February 18th, 2011, if a covered entity violates a HIPAA Provision due to willful neglect, the Secretary is required to impose a CMP. That’s a change that’s from HITECH required to impose a CMP if it’s in the willful neglect category. And, we’ll see a slide in a minute that shows those tiers again. The amount of a CMP depends in part on the factors listed on this slide. So penalties may not exceed a calendar year cap for multiple violations of the same requirement. Note that OCR can obtain much higher CMPs than the states can obtain in damages. So, if there’s an entity that is especially egregious, OCR may be able to work with you and obtain substantial penalties on violators. The other side of that coin, while OCR has a different penalty structure, we can’t pursue state law claims. We can’t bring a full breadth of state concerns to the table and use that as a negotiation and as a resolution agreement. So, we’ve seen this slide yesterday. Notice how after the HITECH effective date, the law provides minimum and maximum penalties within each tier of culpability. Before that effective date, there were no maximums for us. Or, sorry, there were no minimums, there were only maximums, that one hundred dollars. And, there’s a much larger copy of this table in your Appendix. Not too hard to read up there. Aggravating and mitigating factors. You may be familiar with this scheme, both at the federal level and maybe in your state as well. In addition to implying/applying the tiers of culpability, OCR will consider certain aggravating or mitigating factors when determining the amount of a CMP. However, a CMP may not be imposed if an affirmative defense applies. Another key word, affirmative defense, and we’ll get to that in a second. See some of the aggravating/mitigating factors. We talked at the…a little bit about the resolution amount, appropriate amount to pay is a good question. Where do I start? I have a tier, or I have a maximum amount, is this a hundred dollar penalty? Is that my starting place? Is this a fifty dollar penalty? And, what do I need to look at things, such as the financial condition of the of the entity. It’s a serious consideration, not something law enforcement thinks about a lot, or at least I think about readily, but a serious policy consideration if this is the only hospital within a hundred mile radius and you’re going to financially sink that hospital, what’s better? To get that entity out of the program because of their failure to comply, or, which may result in people living near that hospital having two or three hour drives to get certain care? So, it’s considerations, and they can be both aggravating or mitigating. They can say we want more penalty amounts or we want lesser penalty amounts. Affirmative defenses. They’ve changed due to HITECH. So you can see those that were before and after that February 18th ’09 date and note that they differ based on when the violation occurred. So, at February 18th ’09, we had an interesting one, more or less, ignorance. If you did not know and by exercising reasonable diligence would not have known of the violation, then you weren’t going to be subject to a penalty. That’s gone. So, at this point, we can take action even if the offense is (pause) there…another issue. At this point, we can now take…we can take action even if the offense is punishable through criminal penalties. Previously, if there was a criminal penalty possibility, we were kind of prohibited from going forward. Now we are only limited when a criminal penalty has been imposed and that was a HITECH change. And we’ll discuss this a little bit further. So, if there’s a willful neglect case, but DOJ has applied criminal sanctions, then no CMPs would apply. But if DOJ hasn’t applied sanctions, then we’re free to go forward. So, if you think back to yesterday, HIPAA was a 1996 law. The effective date for the Privacy Rule was around 2003. It’s 2010 and we still haven’t had any CMPs, but we now have our poster child for a CMP. We imposed a Civil Money Penalty for Signet Health of Prince George’s County for their violations of the Privacy Rule in the amount of $4.3 million. CMP is based on violations and categories and the increased penalty amounts as authorized under HITECH. So there were penalties that were both pre-dated HITECH penalty amounts and those that were post-dated HITECH amounts. So, notice a proposed determination that we issued on October 20th, 2010, found that Signet violated forty-one patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30, and later than 60 days of the patient’s request. We learned that yesterday from Iliana. These violations for their failure to provide access for 1.3 million. During the investigation, Signet refused to respond to OCR’s demands to produce the records. Remember that short little note about required to comply, required to assist in the investigation? Well, Signet failed to cooperate with OCR’s investigations of the complaints and produce records in response to OCR’s subpoena. OCR filed a petition to enforce its subpoena in the U.S. District Court and obtained a default judgment against Signet on March 30th of 2010. In April 7th of 2010, Signet produced the medical records to OCR but otherwise made no efforts to resolve the complaints through informal means. So, OCR found that Signet failed to cooperate with OCR’s investigation on an ongoing basis from March 17th 2009 to April 7th 2010, over a year. And that failure to cooperate was due to Signet’s willful neglect to comply with the Privacy Rule and because covered entities are required under law to cooperate with investigations, CMPs for these violations were three million. So, notice, we’ve got a total of 4.3 million. The three million is really a total of a half million caps added together and notice, this was forty-one patients. Not five hundred. Not ten thousand. Forty-one patients. 4.3 million for a Civil Money Penalty. We like informal resolution. We think it achieves a good outcome, but if necessary, particularly if you’re going to require us to enforce a subpoena in District Court and achieve a default judgment, you’re not doing a lot of cooperation. As you can see, this was a 2010 case. And as you saw from prior slides, we’ve had many many investigations, this is by far the poster child. Typically, folks come…are much more willing to speak with us about what to do and how to accommodate compliance. So, a little recap. OCR carries out its HIPAA enforcement responsibility by investigating complaints filed with it about failures to protect the privacy of health information. We conduct compliance reviews to determine if covered entities are in compliance with their requirements and we may develop resolution agreements to outline obligations that covered entities agree to perform. If a covered entity fails to correct the cause of a violation, we may impose a CMP. So, a little bit about DOJ. Louis will talk about this a little bit more, but just to kind of whet your appetite for it, let’s talk about DOJ’s authority, responsibility and enforcement and a few examples of what it means to be a potential criminal violation. DOJ has jurisdiction over all HIPAA criminal matters, including authority to impose criminal penalties if someone knowingly discloses or obtains PHI in violation of the regulations. OCR and you, States Attorneys General, retain jurisdiction for civil matters, including imposing CMPs for us, or damages, as its termed for you. Based on a complaint allegation or investigation, OCR may refer a matter to DOJ, where it appears a criminal violation may have occurred. Question: Can you refer a case to DOJ? (pause) Absolutely. There’s no bar to you referring a case to DOJ if you believe a criminal violation may have occurred. Likely, if it’s a case that you’re providing notice to the Secretary, it may be an important issue to discuss if there are possible criminal violations. Even more so, before you go significantly down the trail of mounting an investigation, it’s probably important to coordinate with other folks that may have similar interests because we may have an investigation already ongoing. Or if DOJ is about to act, it may be important to know that, certainly, before we invest limited resources that we all have into pursuing cases. So, a criminal violation may have occurred, or if it appears that a person is knowingly or wrongfully misusing a unique health identifier. And this is a HIPAA topic we’re not really going to talk about much, but it’s sufficient for these purposes to just stick with that term. It’s a, or they have a knowingly or wrongfully obtains or discloses PHI in violation of the HIPAA Rule. So, a person, such as an employee, or any individual is considered to have obtained or disclosed individually identifiable health information in violation of the Privacy and Security Rules, if that IHI…IIHI is maintained by a covered entity and the individual obtains or discloses such information without authorization. In practice, criminal proceedings are more likely in certain situations, such as PHI obtained or disclosed for purposes of illicit personal gain. If there’s identity theft, or sale of PHI to a news outlet, those generally are going to put it squarely in the criminal crosshairs. Criminal penalties. What can DOJ do? A person who knowingly obtains or discloses individually identifiable health information in violation of HIPAA may face a criminal penalty of up to $50,000 and up to one year in prison. They increase those penalties up to $100,000 and up to five years of imprisonment, if the wrongful conduct involves false pretenses, and up to $250,000 and ten years of imprisonment…up to ten years…if the wrongful conduct involves the intent to sell, or transfer, or use that identifiable health information for a commercial advantage, for a personal gain, or for malicious harm. Note that DOJ, not OCR, and not yourselves, at least as far as HIPAA is concerned has jurisdiction for criminal violations. There may be criminal violations related to health information in your own jurisdictions and you would be the experts on that, so just be aware. Both OCR and SAG have the authority to pursue the civil actions, where DOJ has not applied a penalty as of February 2011. So, it is up to you to consider when and how and where you may want to coordinate with DOJ, certainly as we’re both walking down and forging a new path here to figure out how to interrelate on a civil matter. You’re going to have to pull into that your own calculation of both DOJ’s authority and your own state legal enforcement concerns. So, again, beginning in February 2011, OCR may impose a CMP or you may obtain damages unless a criminal penalty has been imposed by DOJ. Prior to these changes, made by the HITECH Rule, and that’s Section 11 76, statutes stated that HHS could not impose a penalty for a Privacy Rule violation if the act constituted an offense criminally punishable under Section 11 77. Notice the change. Big change. It’s not just if it smells like a criminal offense, we have to stay away. It is…unless DOJ actually is doing something. Unless their imposing that penalty, then we can go forward. So, the key things to remember. February 2011 is when this becomes effective. The prior to that time issue is that if it’s criminally punishable, then there’s a bar. After that time, it has to be…DOJ has imposed a penalty. And again, the other note, this goes to the ability to impose a penalty or to remind you that we’ve gotten a whole lot of mileage out of actions without imposing a penalty. So, examples of potential criminal violations. The following are some examples that might lead to criminal enforcement of HIPAA. Note that these types of cases are not within our jurisdiction. The buying and/or selling of Protected Health Information for commercial advantage or personal gain, a receipt or disclosure of PHI involving an unauthorized use of a passcode or a security system, intrusion into a computer system, or unauthorized removal of files or property from the premises. Also, a person alleged to have committed the receipt or disclosure as a law enforcement or oversight authority, or otherwise in a governmental position of trust. So, complaints that might lead to criminal enforcement. Receipt or disclosure resulting in malicious harm to one or more persons, or receipt or disclosure committed under false pretenses. Again, it’s important to be aware of this because this is when, if you will, the criminal potential bulb goes off and you need to, just like the psychotherapy notes, have the knee-jerk reaction to wait a second. If it’s malicious harm, if it’s selling for personal gain, then I may need to ask a few more questions before I go forward. I may need to pull another party into the mix. So, to recap. We’ve talked about the role of OCR’s HIPAA enforcement, including actions OCR takes to enforce HIPAA Rules, conditions under which OCR may take actions on a complaint and ways that an investigation of a HIPAA violation may be resolved by OCR. We’ve also talked about the DOJ’s role in enforcing HIPAA, where someone knowingly disclosed PHI in violation of the Privacy Rule or committed some other HIPAA criminal violation. And I think, again, a reminder summary of what we’ve been over. We described OCR’s enforcement. Hopefully, you’re much more familiar with that now and the actions that we take to achieve compliance on the Privacy Rule and Security Rule side and are a little more familiar with DOJ does and how that interrelates with your activities.